1 / 81

PART FOUR

PART FOUR. Business Associates. Misconception. All Contractors Will Become Business Associates Not True! In Fact, Probably Very Few Contractors Will Become Business Associates. Who Is A Business Associate?.

adonis
Download Presentation

PART FOUR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PART FOUR Page 1NC DHHS HIPAA PMO

  2. Business Associates Page 2NC DHHS HIPAA PMO

  3. Misconception All Contractors Will Become Business Associates Not True! In Fact, Probably Very Few Contractors Will Become Business Associates Page 3NC DHHS HIPAA PMO

  4. Who Is A Business Associate? • A person who, on behalf of a covered health care component (but other than a workforce member), performs or assists in performing a function or activity;or provides legal, actuarial, accounting consulting, data aggregation, management, administrative, accreditation or financial services to or for the covered health care component and involves the use or disclosure of protected health information (PHI) Page 4NC DHHS HIPAA PMO

  5. Identifying a Business Associate • An individual or organization that performs a service, other than treatment… • on behalf of a covered health care component • involves the use/disclosure of PHI • other than a member of workforce • Must meet these three required elements Page 5NC DHHS HIPAA PMO

  6. Member of Workforce • Workforcemeans employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered health care component, is under the direct control of such entity, whether or not they are paid by the covered health care component • Member of workforce test: • Works on site of the covered health care component • Works under the direction and control of covered health care component • MUST FOLLOW POLICIES/PROCEDURES OF CHCC Page 6NC DHHS HIPAA PMO

  7. Example of Business Associate • Collection agency whose contract is to contact individuals with delinquent accounts in an effort to recoup payment for services. • The collection agency is performing a service for a covered health care component. • The collection agency has access to elements of protected health information in order to contact individuals. • The collection agency is not part of the covered health care component’s workforce. Page 7NC DHHS HIPAA PMO

  8. Other Potential Business Associates Private Attorneys Risk Management Consultants Transcription Vendors QI Consultants Auditing Firms Record Copying Services Joint Commission (JCAHO) Architects Page 8NC DHHS HIPAA PMO

  9. Covered Services under HIPAA • The Privacy Regulations are specific as to the services that typically require a Business Associate relationship. • The Regulations also provide a list of functions or activities that may require a Business Associate relationship. Page 9NC DHHS HIPAA PMO

  10. Examples of Covered Services • Legal Services • Attorney representing agency • Actuarial Services • Benefits Management • Accounting Services • Claims Processing • Claims Administration • Consulting Services • Professional Services • Assessments • Data Aggregation • Data Analysis • Data Processing Page 10NC DHHS HIPAA PMO

  11. More Examples of Covered Services • Management Services • Utilization Review • Central Office Supervision • Administrative Services • Facility Management • Purchasing • Accreditation Services • JCAHO • Council on Accreditation • Financial Services • Re-pricing • Rate Setting Page 11NC DHHS HIPAA PMO

  12. Services That MAY Require Business Associate Relationship • Treatment Services • Services that involve more than just treatment, such as serving on UR Committee, etc. • Banking Services • Services that involve more than just the transfer of funds for compensation for health care • Courier Services • HIPAA excludes courier or other postal services • Administrative Services • Services that involve the use of PHI Page 12NC DHHS HIPAA PMO

  13. What About Treatment? • The “treatment” exception does not require a Business Associate relationship when the service is strictly treatment only and no other administrative services are provided, such as performing utilization review. • This does not negate the DHHS requirement for a CONTRACT with a treatment service provider and whenever in doubt…….include HIPAA language. Page 13NC DHHS HIPAA PMO

  14. More Services That MAY Require A Business Associate Relationship • Third-Party Cleaning Service • Services provided under direct control of CHCC and involves the use of PHI • Board Member • Typically board is not under direct control of CHCC; services mayor may not involve thethe use of PHI Page 14NC DHHS HIPAA PMO

  15. Incidental Access to PHI • Incidental access to PHI is generally not grounds for a business associate relationship. • Incidental access may occur when a service provider may be performing a service in your facility and incidentally have access to PHI in the performance of those services. • Unless the use and disclosure of PHI is required in the performance of the service, it is considered incidental access. • Incidental access would need to be addressed in other ways, such as remediation of security policies and procedures regarding the accessibility of PHI. Page 15NC DHHS HIPAA PMO

  16. What Does NOT Constitute a Business Associate Relationship? • A person who provides treatment services on behalf of the covered health care component. • A bank that provides financial transactions. • A courier or postal service that transports protected health information on behalf of the covered health care component. • Administrative services when protected health information is not used or disclosed. • A member of the covered health care component’s WORKFORCE. Page 16NC DHHS HIPAA PMO

  17. Business Associate Requirements • Must enter into an agreement with a covered health care component • Must agree to not use or further disclose PHI other than as permitted or required in the agreement. • Must use appropriate safeguards to unauthorized use or disclosure of PHI. • Must report any unauthorized use or disclosure of PHI to the covered health care component. • Must agree to provide client access to BA records at the request of the covered health care component. Page 17NC DHHS HIPAA PMO

  18. What is Not Required of Business Associates? • A Business Associate is not directly subject to the HIPAA Regulations. • A Business Associate DOES NOT have to appoint a Privacy Officer. • A Business Associate does not have to develop and post a Notice of Information Practices. Page 18NC DHHS HIPAA PMO

  19. “Satisfactory Assurance” = Agreement • A covered health care component may disclose protected health information to a Business Associate and may allow a Business Associate to create or receive protected health information on its behalf, if the covered component obtains satisfactory assurance that the Business Associate will appropriately safeguard the information. • Satisfactory assurance that the Business Associate will protect client information is accomplished through a Business Associate Agreement (contract/MOU). Page 19NC DHHS HIPAA PMO

  20. DHHS Standard Contracts • DHHS is responsible for revising its standard contract templates to include the appropriate HIPAA language. • Each covered health care component will have to customize the HIPAA language with each Business Associate Agreement to fit the specific requirements agreed upon during negotiations. Page 20NC DHHS HIPAA PMO

  21. Requirements in Business Associate Agreements • Required uses and disclosures of PHI • Permissible uses and disclosures of PHI • Safeguards • Reporting of unauthorized use/disclosure • Use of subcontractors • Access to records • Record keeping requirements • Disposition of PHI • Grounds for termination Page 21NC DHHS HIPAA PMO

  22. Liability for Business Associates • Covered health care components are not required to actively monitor their Business Associates. However, • the contract must obligate Business Associate to advise covered health care component when violations have occurred and; • if the covered health care component is aware of violations or breach of Business Associate obligations, the covered health care component must take ‘reasonable steps’ to assure such breech or violation will not continue to occur or end the contract. Page 22NC DHHS HIPAA PMO

  23. How Does This Affect DHHS? • DHHS is a hybrid entity that has covered health care components within some of its divisions • Services are provided to these covered health care components by • Other workgroups in the same division • Workgroups in other DHHS divisions • Workgroups in other NC Departments • External contractors/vendors Page 23NC DHHS HIPAA PMO

  24. Business Associate Categories • Division Business Associates – workgroups within the same division • DHHS Business Associates – workgroups from another DHHS division • State Government Business Associates – workgroups from another NC State Department • External Business Associate – Private/Public external contractor/vendor Page 24NC DHHS HIPAA PMO

  25. Internal Business Associate Test • When making the determination whether or not a workgroup internal to the state system is a Business Associate, follow these steps: • Identify workgroups that perform on your behalf • Determine if service provided in covered under HIPAA • Determine if PHI is exchanged • Determine how PHI is used • Determine how to “assure” PHI is safeguarded Page 25NC DHHS HIPAA PMO

  26. External Business Associate Test • When making the determination whether or not an external contractor (private or public) is a Business Associate, follow these steps: • Determine if service provided is covered under HIPAA • Determine if service provider is part of your workforce • Determine if PHI is exchanged • Determine how PHI is used • Determine language to be included in agreement to safeguard PHI Page 26NC DHHS HIPAA PMO

  27. What Kind of Agreement is Needed? • Division Requirement for Assurance of Confidentiality • Division Business Associate • DHHS Business Associate • Memorandum of Understanding • State Government Business Associate • DHHS Contract • External public/private contractor/vendor Page 27NC DHHS HIPAA PMO

  28. Business Associate Strategies • Identify current contractors who will become Business Associates • Negotiate with potential Business Associates • Develop back-up plan • Establish training materials • Develop action plans Page 28NC DHHS HIPAA PMO

  29. Potential Problems with Business Associate Process • Not identifying all business associates • Inadequate contracts • Allowing sufficient time to negotiate changes in contracts • Non-compliant contractor • Non-compliant sub-contractor Page 29NC DHHS HIPAA PMO

  30. QUESTIONS? Next: Administrative Requirements Page 30NC DHHS HIPAA PMO

  31. Administrative Requirements Page 31NC DHHS HIPAA PMO

  32. Designated Persons • Covered health care components are required to: • Designate a privacy official • Development and implementation of policies and procedures • Designate a contact person or office responsible for • receiving complaints • provide further information about matters covered in Notice of Privacy Practices • Personnel and offices selected to fill these 2 requirements must be documented • in accordance with Rule’s documentation requirements • as required in Notice of Privacy Practices Page 32NC DHHS HIPAA PMO

  33. Privacy Training • Covered health care components are required • To provide privacy training to its workforce • Component policies and procedures relevant to PHI • Training necessary to carry out job functions • ALL staff must be trained no later than 4/14/03 • Train NEW employees within reasonable time after employment • When changes in policies and procedures occur, train affected staff within reasonable period of time • Document training provided • Component wide • Individual (signed verification recommended) Page 33NC DHHS HIPAA PMO

  34. Sanctions • Covered health care components are required to: • Develop a system of sanctions for employees who violate the health care component's privacy policies • Not applicable to • Whistleblowers • Workforce member crime victims • Workforce member filing complaint with OCR, testifying, assisting or participating in an investigation, compliance review or similar proceeding • Document applied sanctions Page 34NC DHHS HIPAA PMO

  35. Intimidating or Retaliatory Acts/Waiving Rights • Covered health care components are required to: • Refrain from intimidating or retaliatory acts • May not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against • Clients for exercising their privacy rights including filing complaints • Clients or other persons for • filing complaints with OCR • testifying, assisting, or participating in an investigation, compliance review, proceeding or hearing • opposing any act or practice made unlawful by the Rule • Refrain from requiring clients to waive their privacy rights as condition for treatment, payment, enrollment in health plan, or eligibility for benefits Page 35NC DHHS HIPAA PMO

  36. Safeguards • Covered health care components are required to: • Have in place appropriate administrative, technical and physical safeguards • Reasonably safeguard PHI from any intentional or unintentional use or disclosure • Security Regulations will work hand in hand with Privacy • Until Security Regulations are finalized, this is only relative to security Page 36NC DHHS HIPAA PMO

  37. Mitigation • Covered health care components are required to: • Mitigate, to the extent possible, any harmful effects of a violation of privacy policies and procedures or HIPAA privacy requirements by the covered health care component or its business associates Mitigate - to make less severe or painful. Page 37NC DHHS HIPAA PMO

  38. Policies and Procedures • Covered health care components are required to: • Develop and implement policies and procedures with respect to PHI • Flexible and Scalable • Change policies and procedures as necessary • resulting from changes in laws/regulations • if changes in policies/procedures impact Notice of Privacy Practices, must make changes in Notice • state the changed practice • make revised notice available as required • cannot implement policy/procedure change prior to effective date of revised Notice • document revised policy/procedure Page 38NC DHHS HIPAA PMO

  39. Policies and Procedures Policy Matrix available at - http://dirm.state.nc.us/hipaa/hipaa2002/toolsandtemplates/toolsandtemplates.html#pri1 Page 39NC DHHS HIPAA PMO

  40. Documentation • Covered health care components are required to: • Meet documentation requirements • Maintain policies and procedures • Any communication required in Rule to be in writing (e.g., Consent, Authorization) • Other actions, activities or designations required by Rule • Maintain documentation in written or electronic form • Retain documentation for 6 years • from date of its creation • date when last in effect • whichever is later Page 40NC DHHS HIPAA PMO

  41. Designated Record Sets • Covered health care components must identify their Designated Record Sets • Document Designated Record Sets • By Type (e.g., Medical Record; X-rays; HSIS; HEARTS) • Content (e.g., Demographics; Assessments; Diagnosis) • Identify records that are not Designated Record Sets - For Example • Incident Reports • Psychotherapy or other working notes • Copies of reports also maintained in medical records- not used or disclosed within or outside the component • Utilization Review or Quality Improvement records • Appointment or surgical schedules • Dictation Tapes Page 41NC DHHS HIPAA PMO

  42. Designated Record Sets • Include records maintained by Division Business Associates and DHHS Business Associates • Include records maintained by State Government Business Associates or External Business Associates if they are maintained on behalf of covered health care component • e.g., Billing Records maintained by a private billing service Page 42NC DHHS HIPAA PMO

  43. Designated Record Sets • Utilize the Business Information Flow Assessment • Defines types of information maintained by various component work groups • Include record sets maintained in all types of media • paper, oral, video, electronic, etc Page 43NC DHHS HIPAA PMO

  44. QUESTIONS? Next: Compliance and Enforcement Page 44NC DHHS HIPAA PMO

  45. Compliance & Enforcement Page 45NC DHHS HIPAA PMO

  46. Compliance • Required of all covered entities • NC DHHS is responsible for ensuring compliance by covered health care components within DHHS, as a hybrid entity • NC DHHS is NOT responsible for ensuring compliance by local agencies • Not under the single legal entity of NC DHHS • With or without a complaint the secretary may conduct compliance reviews Page 46NC DHHS HIPAA PMO

  47. Office of Civil Rights (OCR) • OCR given delegation of authority to enforce privacy rule • Technical assistance (TA): Helping covered entities achieve compliance • Compliance reviews • Investigation & resolution of complaints Page 47NC DHHS HIPAA PMO

  48. Complaints • Any person or organization who believes a covered entity is not complying with HIPAA requirements may file a complaint with Covered Entity or OCR • Must be filed in writing (on paper or electronically) • Must name entity that is subject of complaint • Describe acts or omissions believed to be in violation • Only for possible violations occurring after compliance date (4/14/03) • Must be filed within 180 days of when complainant knew or should have known that violation occurred • unless time limit is waived for good cause • Secretary may investigate complaint • Review of pertinent policies, procedures or practices • Review of circumstances regarding alleged acts or omissions concerning compliance Page 48NC DHHS HIPAA PMO

  49. Covered Entity Responsibilities • Provide Records and Compliance Reports • Cooperate with OCR during complaint investigations and compliance reviews • Permit Access to Information • During normal business hours • Access to pertinent facilities, books, records, accounts and other sources of information (including PHI) • If any requested information is in possession of another agency that fails or refuses to provide the information, must document efforts made to obtain the information Page 49NC DHHS HIPAA PMO

  50. Enforcement • Enforcement Regulations not published • DHHS to issue Enforcement Requirement • Applicable to covered health care components for all HIPAA regulations • Address imposition of civil monetary penalties • Address referral of criminal cases where violation of Privacy Rule has occurred Page 50NC DHHS HIPAA PMO

More Related